Set up Fail2Ban

For most setups, you can follow this tutorial to set up fail2ban on your system. It will walk you through creating jails and filters, allowing you to monitor IP addresses that have been banned for too many failed SSH login attempts, as well as too many failed Home Assistant login attempts.

Fail2Ban with Docker

These steps assume you already have the Home Assistant docker running behind NGINX and that it is externally accessible. It also assumes the docker is running with the --net='host' flag.

For those of us using Docker, the above tutorial may not be sufficient. The following steps specifically outline how to set up fail2ban and Home Assistant when running Home Assistant within a Docker behind NGINX. The setup this was tested on was an unRAID server using the let’s encrypt docker from linuxserver.io.

Set http logger

In your configuration.yaml file, add the following to the logger component to ensure that Home Assistant prints failed login attempts to the log.

logger:logs:homeassistant.components.http.ban:warning

Edit the jail.local file

Next, we need to edit the jail.local file that is included with the Let’s Encrypt docker linked above. Note, for this tutorial, we’ll only be implementing the [hass-iptables] jail from the previously linked tutorial.

Edit /mnt/user/appdata/letsencrypt/fail2ban/jail.local and append the following to the end of the file:

Create a filter for the Home Assistant jail

Now we need to create a filter for fail2ban so that it can properly parse the log. This is done with a failregex. Create a file called hass.local within the filter.d directory in /mnt/user/appdata/letsencrypt/fail2ban and add the following:

Map log file directories

First, we need to make sure that fail2ban log can be passed to Home Assistant and that the Home Assistant log can be passed to fail2ban. When starting the Let’s Encrypt docker, you need to add the following argument (adjust paths based on your setup):

/mnt/user/appdata/home-assistant:/hass

This will map the Home Assistant configuration directory to the Let’s Encrypt docker, allowing fail2ban to parse the log for failed login attempts.

Now do the same for the Home Assistant docker, but this time we’ll be mapping the fail2ban log directory to Home Assistant so that the fail2ban sensor is able to read that log:

/mnt/user/appdata/letsencrypt/log/fail2ban:/fail2ban

Send client IP to Home Assistant

By default, the IP address that Home Assistant sees will be that of the container (something like 172.17.0.16). What this means is that for any failed login attempt, assuming you have correctly configured fail2ban, the Docker IP will be logged as banned, but the originating IP is still allowed to make attempts. We need fail2ban to recognize the originating IP to properly ban it.

First, we have to add the following to the nginx configuration file located in /mnt/user/appdata/letsencrypt/nginx/site-confs/default.

Once that’s added to the nginx configuration, we need to modify the Home Assistant configuration.yaml such that the X-Forwarded-For header can be parsed. This is done by adding the following to the http component:

http:use_x_forwarded_for:True

At this point, once the Let’s Encrypt and Home Assistant dockers are restarted, Home Assistant should be correctly logging the originating IP of any failed login attempt. Once that’s done and verified, we can move onto the final step.

Add the fail2ban sensor

Now that we’ve correctly set everything up for Docker, we can add our sensors to configuration.yaml with the following: